Plesk GDPR Compliance
For more information, read the article about GDPR compliance on the Plesk blog. Have questions? Reach us at firstname.lastname@example.org.
Data subjects of GDPR regarding Plesk are:
- Plesk administrators, who provide their personal data (e-mail) to receive Plesk licenses or newsletters, are subjects in GDPR relations with Plesk International GmbH. We store this personal data in the Key Administrator and Partner Central services to fulfill contractual obligations. We also use HubSpot, a third party service, to contact them.
- Plesk users, whose accounts are created on Plesk servers. Plesk users are subjects in GDPR relations with Plesk administrators.
- Site visitors, who visit websites hosted on Plesk servers. Site visitors are subjects in GDPR relations with Plesk administrators and Plesk users (website owners).
Is Plesk Obsidian GDPR compliant?
In short: yes! Here's what you need to know about the specific details of GDPR compliance as related to Plesk Obsidian:
- Plesk Obsidian explicitly requests consent or a contract agreement from the Plesk administrator before sending their personal data to the Key Administrator and the Partner Central services.
- Personal data of Plesk administrator aliases and Plesk users other than the administrator is not sent anywhere.
- Plesk Obsidian anonymizes IP addresses in logs every 24 hours. The data from the logs is not sent anywhere. Each IP address may be stored in its original form for up to 24 hours before being anonymized (GDPR regulations do not specify how long IP addresses can be stored). In addition, Plesk users can configure log rotation to automatically remove log files after a number of days have passed since a log file's creation.
IP addresses logging
The following services log IP addresses of clients:
- Web servers (Nginx, Apache)
- Mail servers
- Web analytics reporting tools (AWStats, Webalizer)
Depending on your individual situation, here are some steps you may need to take to ensure you are GDPR compliant:
- Anonymize IP addresses stored in log files. This should have no impact on Plesk operation. Fail2ban should continue working since Fail2ban processes log files before they are anonymized.
- Disable web analytics reporting tools. If you do, users will not be able to use AWStats and Webalizer in Plesk.
- Set up forced log rotation for all domains in Plesk. If you do, daily log rotation will be enforced for all existing domains. Customers and resellers will be unable to override this setting.
- Disable IP addresses logging. If you do, Fail2ban will not be able to protect hosted websites. In addition, AWStats and Webalizer will lose the ability to aggregate web statistics based on IP addresses.
User Activity Tracking
Plesk Obsidian uses a tool used for gathering certain data about the way the product is used. Plesk gathers this information to better understand the way Plesk is used, and to ultimately deliver a better product. We strip all UAT data sent by Plesk servers of anything that could even potentially be used to identify a subject before processing. The tool is fully GDPR compliant:
- The tool does not send any data that could be considered personally identifiable information (PII), either separately or cumulatively with other reported data. The kind of data the tool sends is the date/time an event took place, the server's unique ID (although the ID is unique, it cannot be used to identify the server owner without access to the PII Plesk International GmbH gathers to fulfill contractual obligations and securely stores in a system separate to that handling UAT data), the type of user that initiated the event (administrator/reseller/user), the page the event took place on, the specific control the user interacted with, and so on.
- The data is funneled through the Amazon Kinesis Data Firehose service and stored in AWS S3.
The tool operates on an opt-out basis. To disable the tool on your Plesk server, add the following lines to the panel.ini file:
[userActivityTracking] enabled = off
- Plesk International GmbH does not receive any IP addresses from Plesk servers.
- Plesk International GmbH does not receive any IP addresses from the AWS infrastructure. Furthermore, neither Plesk International GmbH nor AWS store IP addresses within the AWS infrastructure. Learn more about AWS GDPR compliance.
Plesk Obsidian uses Sentry.io, a third party service, to track errors and monitor performance. Plesk gathers this information to identify and fix bugs and performance bottlenecks. The service reports that it is fully GDPR compliant.
Are Plesk Onyx and earlier Plesk versions GDPR compliant?
- Plesk Onyx 17.8 and 17.5 are GDPR compliant in the same way Plesk Obsidian is.
- Plesk Onyx 17.0, Plesk 12.5, and Plesk 12.0 are not GDPR compliant because they send Plesk administrator’s personal data to the Key Administrator and the Partner Central services without the Plesk administrator’s express consent. In addition, these Plesk versions do not anonymize IP addresses in logs.
If you are running an earlier Plesk version, we strongly recommend updating to Plesk Obsidian.